Slashdot Mirror
Lenovo Still Shipping Laptops With Superfish
Ars Technica reports that weeks after Lenovo said it would stop selling computers with Superfish adware installed, it's still there for many purchasers of the company's laptops.
From the article:
Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.
"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed." Supply chains are long, and hand-work is expensive, so this might not surprise anyone. Less forgivable, though is this finding, of the software provided to purge machines of the adware: "Lenovo's software didn't begin to live up to its promise of removing all Superfish-related data. Based on its own self-generated report, the tool left behind the Superfish application itself. A scan using the Malwarebytes antivirus program found the Superfish remnants VisualDiscovery.exe, SuperfishCert.dll, and a VisualDiscovery registry setting."
"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed." Supply chains are long, and hand-work is expensive, so this might not surprise anyone. Less forgivable, though is this finding, of the software provided to purge machines of the adware: "Lenovo's software didn't begin to live up to its promise of removing all Superfish-related data. Based on its own self-generated report, the tool left behind the Superfish application itself. A scan using the Malwarebytes antivirus program found the Superfish remnants VisualDiscovery.exe, SuperfishCert.dll, and a VisualDiscovery registry setting."
This was such a blatantly anti-customer move that I will never - NEVER - be a Lenovo customer again. They cannot be trusted, and probably can never be trusted again because any "change" could just be a whitewashing campaign, not a real change.
This is simply more evidence that they deserve all the shit they're getting, and more.
.
From that point of view, why should they reimage the drives of notebooks in inventory?
Unless his company disolves or passes the burden of purchaseing laptops onto employees in the future, there will be a need in 3-5 years to get new ones.
However, 1200 laptops, with a company that large it should be using volume licensing and reimaging the computers with their own keyed software. This would negate anything the manufacturer does. Is there something with new laptops making this impractical?
Wipe the drive and do a clean install of Windows. You'll probably also be getting rid of a whole bunch of other bloatware in the process anyway, so win-win.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
I think Hanlon's razor (never attribute to malice what can be explained by stupidity) is way too optimistic about human nature.
Lenovo has no ethics, pure and simple. As far as I'm concerned, they lost a prospective customer.
Knowledge is power; knowledge shared is power lost.
I don't think they're worried about the OS level stuff, but more that if they'll load malware onto a consumer product intentionally they might consider loading other less savory things into firmware or something similar. There's worry about the slippery slope rather than the actual Superfish fiasco.
If a company is incompetent enough to ship such insecure software, why would you trust that their firmware drivers were safe. If a company thinks its good econmic sense to ship adware, why would trust them use high quality components where they might save a few cent by cheaper low quality ones.
That's an easy answer. Companies are ignorant machines. A company isn't incompetent, certain parts of it are. While a small group of idiots thought it may be a good idea to do one thing, it is quite likely that the other group (responsible for firmware or hardware) had no idea that it was going on, have far better quality for their own segment, and the people may have even been against it had they known.
I postulate that the people assembling the hardware or the firmware had no idea what malware was being installed on the final machine, and that one has nothing to do with the other.
It's not even so much morality as self interest. If they'll do this to some of their customers, they'll do it to others, so you don't want to be one of those others. And if software is too easily removed they're quite capable of doing it in firmware.
Doing business only with reputable companies falls within the area of "enlightened self-interest" rather than altruism.
I think we've pushed this "anyone can grow up to be president" thing too far.